CleanStart
Example Customer · CleanSight Dashboard
Example Customer ·
Data from scan … Generated May 26, 2026 09:25 UTC
Container Images
33
33 microservice families
Vulnerability Instances
18,025
2509 unique CVEs
KEV-Listed in Scan
0
CISA · actively exploited
EOL / Aging Distros
0
images on a base distro past EOL
Actionable (T1+T2+T3)
0
0 KEV · 0 high-EPSS · 0 med
Projected Reduction
92.0%
via CleanStart base swap
Overview
At-a-glance posture of the Example Customer container estate
Tier 1 · drop everything
Actively exploited (KEV)
0
Tier 2 · this sprint
High EPSS (≥0.5)
0
Tier 3 · this quarter
Medium EPSS
0
Tier 4 · background
Low risk
2509
● Severity Distribution
● Environment Split
● CleanStart Pairing Distribution
● Top Vulnerable Packages
Image Inventory
Click any row for full detail. Sort by column header.
Env: Pairing:
Image Env Vulns ↓ Current Base CleanStart Δ
CVE Explorer
Prioritised by exploitability tier. Search to drill down.
Tier: Layer:
CVE ID Tier Sev CVSS EPSS ↓ Package · Version Layer
Base Image Migration
Where Example Customer is today vs. where CleanStart takes it
● Current Base Distribution
● CleanStart Pairings (Target)
Customer Image Current Base (detected) Conf. CleanStart Pairing Before After
Docker-Layer View
Where the vulnerabilities live in the image stack
● Global stack — unique CVEs per layer
Image Env Layer Mix Total CVE rows
Attack Path ·
Select an image to view its exploit chain
Attack path risk score
33 images · sorted by vuln count
KEV CVEs in this image
Total vulnerabilities
Detected base image
CleanStart pairing
Projected reduction
Critical / Exploitable
High
Image / Container
AWS infra (inferred)
CleanStart-remediated
Transparency: AWS topology (ECS Task name, ALB target group, public-facing status) is inferred from the standard ECS Fargate pattern for Spring-Boot microservices behind an ALB. The SBOM scan doesn't include runtime topology. For confirmed exposure mapping, pair this with CleanSight's AWS-account discovery scan or an ECS service inventory pull.
CVE ID Package · Version CVSS EPSS KEV Tier Fix in CleanStart
CleanStart eliminates this entire attack path
P0 · Immediate
P1 · Network isolation
P1 · Fleet-wide swap
Policy · Prevent recurrence
CleanSight combines five data layers to construct attack paths. The scan you exported gives us layers 1 + 2 directly; layers 3-5 are inferred from your AWS ECS architecture pattern. A live CleanSight deployment with read access to the AWS account would populate them from AWS APIs.
Layer 1 · SBOM intelligence
Which packages live in which image, which Docker layer introduced them, which CVEs apply to each version.
scan-derived
Layer 2 · Threat intel context
CISA KEV (actively exploited), FIRST.org EPSS (probability of exploitation), CVSS. Decides which CVEs are weaponised vs. theoretical.
CISA KEV + FIRST EPSS · live
Layer 3 · Runtime topology
Which images run as ECS Tasks in which cluster, with which IAM Task Role, which can reach which downstream services.
inferred · ECS API would populate
Layer 4 · Network exposure
Which Target Groups sit behind public ALBs, which have AWS WAF in front, Security Group rules and VPC reachability.
inferred · AWS ELB + EC2 API
Layer 5 · Tricorder anomaly
Runtime behavioural signal: unexpected outbound calls, suspicious package metadata. Amplifies risk when active anomaly + exploitable CVE co-occur.
CleanStart Tricorder
Risk scoring
Attack path risk = EPSS × reachability × network exposure × lateral hops × anomaly. Paths ranked by exploitability, not raw CVE count.
CleanSight risk engine
Remediation Plan
3 phases · 8 weeks · zero application-code changes
Phase 1 · Week 1-2
Tier 1+2 fixes
0 images → cleanstart/tomcat
~70%
  • Rebuild all 0 Spring-Boot+Tomcat images on CleanStart tomcat
  • Closes 0 KEV CVEs (actively exploited in the wild)
  • Closes most of the 0 high-EPSS CVEs in one shot
  • Dockerfile FROM swap only · no app code changes
Phase 2 · Week 2-4
JRE consolidation
0 images → cleanstart/jre
+20%
  • Rebuild 0 plain Spring / internal API images on CleanStart jre
  • Closes the remaining Tier 3 medium-EPSS CVEs
  • Validates env parity across the estate
  • Standard Spring Boot compatibility
Phase 3 · Week 5-8
Specialty bases + hardening
33 images + admission policy
+9%
  • Rebuild remaining 33 workload-specific images (e.g. Go binaries) on cleanstart-base
  • Continuous SBOM scanning on CI/CD (catches regressions)
  • Admission-controller policy: block any image with a CISA-KEV CVE
  • Final state: ~3-5 vulnerabilities per image across all 33 images